We had the exact same thing with a number of subscriber accounts being created. We also had “anyone can register” enabled, but by design. We are an association web-site. Anyone can access the public parts of the site and post comments but we have the Ultimate Member plug-in installed so some pages are restricted to members only and you have to be logged in to access these pages. We had hoped to be able to allow members of the association to fill out a ‘Register’ form and then have accounts created as ‘pending’ before being approved as subscribers which then gave them rights to access the members’ pages.
With ‘anyone can register’ set, the hacker bots can completely bypass the Ultimate Member plug-in and create accounts.
We installed Wordfence and blacklisted about 100 IP addresses as the attacks came in. We also disabled ‘anyone can register’ and it is still disabled. Obviously, the attacks have stopped but we would like to find a way of allowing our members to register which currently would mean switching ‘anyone can register’ back on.
Any suggestions?
